Security expert: More developer education needed

Software vendors need to create comprehensive security education programs for their programmers in order to deliver more security software products to their customers, an Oracle Corp. security expert said Thursday.

Developer education and pressure from large buyers such as the U.S. government are two key ingredients in better software security, said Adam Jacobs, Oracle’s principal product manager, during a presentation at the InfraGard National Conference in Washington, D.C. Jacobs’ presentation was titled, “Why is commercial software so vulnerable (and how can we fix it)?”

During the InfraGard event, which focused both on cyber and physical security, Jacobs and other cybersecurity experts gave various reasons for the common complaint that commercial, off-the-shelf software is often riddled with security holes. Jacobs seemed to partly agree with David Aucsmith, chief technology officer at Microsoft Corp.’s Security Business & Technology Unit, who said at InfraGard Wednesday that software vendors often ignored security functionality in order to make their products easier to use, at least until recent years.

Aucsmith used the example of the Windows 95 operating system, which had “no security” as a design goal because users wanted an easy-to-use OS, he said. “We would get points taken away by the analysts and in the press if [software] was hard to configure,” he added.

Jacobs agreed that some software was designed poorly, but most security vulnerabilities now come from coding errors — what he called implementation errors — not in software designed to be insecure, he said. While more software vendors began focusing on designing more secure software in recent years, security bugs still exist, he added.

“The number of fixes that are coming out to you each month isn’t going down, it’s going up,” Jacobs said. “Your design on paper can be brilliant … and you hand it off to the developer and that means nothing when it comes to implementation flaws.”

The problem is that many software developers don’t understand mistakes that cause buffer overflows or SQL injections, Jacobs said. In the past, Jacobs has encountered Oracle developers who don’t understand SQL injections although that’s a common vulnerability for the databases that are part of Oracle’s core product line. Part of the problem, Jacobs said, is that many universities teach computer science theory without teaching much about the practice of programming.

Adding to the problem is that developers are often rewarded for meeting deadlines, but not for writing secure code, Jacobs added. Software vendors need to find better ways to reward slower coders who turn in cleaner code instead of giving bonuses to programmers who turn in buggy code on time, he said. After the fast coder gets his performance bonus, “it doesn’t really matter when, six months later, 15 bugs come in.”

To combat coding errors, Oracle has created its own in-house security training program, a one-day course including quizzes that all employees dealing with programming must take. Oracle received a lot of complaints from employees when the program first started, but reaction has since been positive, with some developers returning to coding projects during a break in the course to fix errors they learned about, Jacobs said.

“We can’t expect every developer to be a security expert,” he said. “What we do need is for every developer to understand security fundamentals.”

In addition to other programming challenges, it’s difficult for software vendors to hold individual programmers responsible for single errors in code, Jacobs said. In the past, a vendor who identified a programmer who created a buffer overflow vulnerability could get the response, “I didn’t know about that problem,” he said.

But the Oracle training class adds a level of personal responsibility, he added. “You can’t come back to me now and say, ‘I didn’t know about SQL injections,'” he said. “I can say, ‘Yes, you do, you took my class.'”

In addition to education programs, numerous automated tools exist to check code against common errors, Jacobs noted. But the tools aren’t perfect and can’t replace developer security education, he said.

Jacobs also urged large buyers of technology to insist on more secure software. In some cases, buyers reward cheap prices over security, however, he said.

“Oracle and any other software company isn’t going to invest the time and money to complete a product … that may be more secure, if you’re going to go to [another vendor’s software] and say it’s available faster and it’s cheaper,” he said.